![]() |
|
|
Issue Type:
|
Improvement
|
Affects Versions:
|
2.2.5 |
Assignee:
|
Unassigned |
Created:
|
11/Aug/14 1:56 PM
|
Description:
|
The form module html escapes by default inputs. This is in certain situations not good.
Clearly in the password field, as it won't store the PW with allowed characters different than the 1:1 input. This leads to problems when reusing the PW also for other systems.
Also the customer needs to store from other fields inputs which are unchanged (see linked support ticket). Examples as original value to store
becomes
Research & Development
.
The problem is this line in the info.magnolia.module.form.templates.components.DefaultFormDataBinder#bindAndValidateFields method:
final String value = EscapeUtil.escapeXss(StringUtils.join(MgnlContext.getParameterValues(controlName), "__"));
Suggested solution:
All form fields should be html escaped to prevent XSS attacks.
But allow a configuration on the form field to disable it for this specific field.
|
Project:
|
Magnolia Form Module
|
Labels:
|
support
|
Priority:
|
Neutral
|
Reporter:
|
Christian Ringele
|
|
|
|
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
|
----------------------------------------------------------------
For list details, see: http://www.magnolia-cms.com/community/mailing-lists.html
Alternatively, use our forums: http://forum.magnolia-cms.com/
To unsubscribe, E-mail to: <dev-list-unsubscr...@magnolia-cms.com>
----------------------------------------------------------------